Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 08:21
Static task
static1
Behavioral task
behavioral1
Sample
82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe
Resource
win10v2004-20241007-en
General
-
Target
82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe
-
Size
798KB
-
MD5
cae600b2915b9fa9e4d434165847e94d
-
SHA1
1c2a32fd7219149a17000f8205622139daf0af83
-
SHA256
82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0
-
SHA512
a353bdf3f195eeb66c15d510bf1322ac5fa33cf2e7d1a0ea88a97a872bc6fc9cc7afd52d64fe0df8a8b365d0fa99266670609d6996c5b099111a7908b6b827fd
-
SSDEEP
12288:yMrYy907ajmawoV3W6EIqdghGSwsYDcv4DjovcYcj1zIXX3dQpDXx1oN/vn:CyMZaFV7NHYn44mVszaX3daDXzY/vn
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000023bc8-19.dat family_redline behavioral1/memory/4532-21-0x0000000000030000-0x0000000000062000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
kpY58OG.exekex71Sr.exedUK42Ea.exepid Process 4608 kpY58OG.exe 4892 kex71Sr.exe 4532 dUK42Ea.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exekpY58OG.exekex71Sr.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kpY58OG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kex71Sr.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exekpY58OG.exekex71Sr.exedUK42Ea.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kpY58OG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kex71Sr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dUK42Ea.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exekpY58OG.exekex71Sr.exedescription pid Process procid_target PID 4484 wrote to memory of 4608 4484 82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe 83 PID 4484 wrote to memory of 4608 4484 82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe 83 PID 4484 wrote to memory of 4608 4484 82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe 83 PID 4608 wrote to memory of 4892 4608 kpY58OG.exe 85 PID 4608 wrote to memory of 4892 4608 kpY58OG.exe 85 PID 4608 wrote to memory of 4892 4608 kpY58OG.exe 85 PID 4892 wrote to memory of 4532 4892 kex71Sr.exe 86 PID 4892 wrote to memory of 4532 4892 kex71Sr.exe 86 PID 4892 wrote to memory of 4532 4892 kex71Sr.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe"C:\Users\Admin\AppData\Local\Temp\82e337bbbd9ed64906d0930e2fdc29a708f9c7bfb954c019665da5cf6d14b4e0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kpY58OG.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kpY58OG.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kex71Sr.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kex71Sr.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUK42Ea.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUK42Ea.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD5a89bfab0ac8d30a956df483f5811996b
SHA1c0a8286f27c07c94463769e757c4936b928bfbbb
SHA2560cfbed1996a3f90c7d59c4cad9655be441202e9e8bcc260ec37ff2012bc0cb9f
SHA5123fe24784b3e9c467c682730a1d591311dec15220861d0119fa027becd2d01a617cc9e2a31c55caadf822fd895d8ce11d585d37cef6727915c021eccd9735a31e
-
Filesize
507KB
MD5e14479ec6ca0b2c9f76c82c62882eb2c
SHA1135428801d34ce83fdb74363b335bc2ab675125f
SHA256517e3a0ea49961c8a815aa245fbe57f7e282ab12ace2ff08a85c911773a3ce4a
SHA512ed5107e1ccf15eef2f6a09c27d378e39adb09c05c4e9cace6994a99ee6e27b446c534448ed7b40aa6ff4f07cdf789bde48455b1f425603d2c18958aa802172f4
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec